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Abstract — In the highly interconnected realm of Internet of 
Things, exchange of sensitive information raises severe privacy 
concerns. The Laplace mechanism - adding Laplace-distributed 
artificial noise to sensitive data - is one of the widely used 
methods of providing privacy guarantees within the framework 
of differential privacy. In this work, we present Lipschitz 
privacy, a slightly tighter version of differential privacy. We 
prove that the Laplace mechanism is optimal in the sense 
that it minimizes the mean-squared error for identity queries 
which provide privacy with respect to the G-norm. In addition 
to the f i -norm which respects individuals’ participation, we 
focus on the use of the G -norm which provides privacy of 
high-dimensional data. A variation of the Laplace mechanism 
is proven to have the optimal mean-squared error from the 
identity query. Finally, the optimal mechanism for the scenario 
in which individuals submit their high-dimensional sensitive 
data is derived. 


I. Introduction 

The Internet of Things (IoT) envisions that everyday 
devices such as smartphones, power meters, and household 
appliances will exchange information and provide innovative 
services such as e-health and assisted living [1], However, 
when a device communicates sensitive information (e.g. 
monitored activities, health records) over a vast network of 
interconnected things, privacy concerns are raised [2], For 
example, traffic maps can be constructed from aggregating 
users’ GPS traces and users can benefit from such published 
maps by avoiding congested routes. On the other hand 
publishing statistics of sensitive data of a population while 
providing privacy guarantees is not trivial. The Netflix prize 
is an example were, given publicly released information 
[3], an adversary can partially reconstruct private data [4]. 
Accurate, privacy-preserving mechanisms are essential for 
IoT to provide these services while respecting individuals’ 
privacy [5] 

Significant efforts have been made to address these 
privacy concerns [6], [7], [8], [9], [10], [11], [12]. Intu¬ 
itively, uncertainty about the private data is introduced by 
publishing a perturbed response instead of the exact one. In 
the context of traffic monitoring, virtual trip lines and data 
cloaking techniques [13], [14] provide privacy against a given 
adversarial model. In practice, though, an adversary may 
be more powerful or informed than the model assumptions. 
Additionally, an information-theoretic framework based on 
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mutual information was introduced [15]. However, this ap¬ 
proach provides privacy guarantees in a probabilistic sense 
and, therefore, rare, but severe, privacy breaches are possible. 

A rigorous notion of privacy is differential privacy which 
provides formal privacy guarantees without any assumptions 
on the adversary’s power [16] and is the notion used in 
this work. Specifically, while answering queries from private 
data, artificial noise is injected. This noise is deliberately 
designed and ensures that an adversary cannot confidently 
infer any individual’s private data, where an adjacency 
relation defines the pairs of inputs that are rendered almost 
indistinguishable. For tight privacy level, increased amounts 
of noise are required and, consequently, the accuracy of the 
noisy response degrades. Thus, a trade-off between privacy 
level and accuracy exists. Ideally, one would like to design 
optimal mechanisms that satisfy a predefined privacy level 
and approximate a given query with minimum mean-squared 
error. 

Several methods for constructing differentially private 
mechanisms have been proposed. In particular, given a score 
function for every pair of private input and public response, 
the exponential mechanism [17] provides a powerful way 
of building a private mechanism, although no performance 
guarantees were initially provided. The Laplace mechanism 
is an instance of the exponential mechanism for real, vector¬ 
valued private data which adds Laplace-distributed noise V 
to the private data: 

P(V = »)«e'' Hl , (1) 

where e £ (0, oo) is the privacy level — smaller values of 
parameter e result to stronger privacy guarantees — and j| ■ ||i 
is the £| -norm. Near-optimality of the Laplace mechanism 
for a single integer-valued linear query was presented in [18], 
whereas, for linear queries, asymptotic (in the number of 
users) sub-optimality bounds were derived for a variant of 
the Laplace mechanism [19], For single-dimensional private 
data, the exact optimality of the “staircase” mechanism, a 
quantized version of the Laplace mechanism, was established 
in [20]. Moreover, the Laplace mechanism was proven to 
be an entropy-minimizing private mechanism [21] under a 
version of differential privacy for metric spaces [22], 

In this work, we establish optimality guarantees for 
the Laplace mechanism - adding Laplace-distributed noise 
Q- We formalize Lipschitz privacy which is a slightly 
stronger version of differential privacy for metric spaces 
and allows us to pose the problem of designing optimal 
privacy-aware mechanisms as optimization problems where 
privacy requirements are included as constraints. We, first, 
prove that the Laplace mechanism optimally approximates 


real-valued private data by achieving the minimum mean- 
squared error. Besides the f^-norm used in <[T}, we focus 
on the /' 2 -norm as the appropriate adjacency relation that 
captures the privacy aspects of sensitive signals, such as 
GPS and power consumption traces. In the f^-norm case, we 
prove the optimality of a variant of the Laplace mechanism. 
Furthermore, we extend our optimality results to the case of a 
composite adjacency relation for the scenario when multiple 
individuals contribute their private signals, e.g. drivers report 
their GPS traces. 

A brief overview of differential privacy is provided in 
Section [II] In Section III a version of differential privacy 
for Euclidean spaces is explored and strong connections with 
differential privacy are established. Section[IV]establishes the 
optimal private mechanism for the case of multi-dimensional 
identity queries both under l\ and I 2 norms. We conclude 
this work with a discussion in Section 0 


II. Differential Privacy Overview 

The framework of differential privacy was introduced in 
[23], [16]. According to this framework, whenever a query 
is submitted to private data, the exact response must be 
perturbed by noise upon release to the public. Formally, the 
definition of differential privacy is the following: 

Definition 1: Let e > 0 be a given privacy level, U be the 
set of possible private data, A C U 2 be an adjacency relation 
over the private data, y be the set of possible responses, and 
A (jV) be the set of probability measures over (a sufficiently 
rich cr-algebra of) y. A mechanism Q : U ^ A ( 3 /) is e- 
differentially private if 

P (Qu £ S) < e e P (Qu £ S) 

for every S C y and every u,v! £U such that (u, u') £ A. 

Remark 1: For a given output set y, we assume the 
existence of a rich enough cr-algebra M C 2 y . Slightly 
abusing of notation, we write S C y instead of A £ M. Also, 
the set of probability measures over ( 3 /, M) is denoted by 
A (3 7 ). For a finite set of responses 3*, we assume M = 2^. 
In this approach, we focus on Euclidean spaces y = R m 
and the Borel set M = B rn . 

Definition [T] considers randomized mappings, called 
mechanisms, from private data in U to responses in y. The 
adjacency relation A defines the pairs of inputs (u. u') that 
are rendered almost indistinguishable to an adversary who 
observes only the response of the mechanism. The level of 
privacy is controlled by the parameter e > 0. Complete 
privacy is guaranteed for e = 0, whereas, no privacy is 
respected for e —>• 00 . A differential private algorithm is 
a map from private data to distributions over the set of 
responses. Upon release, the differential private response is 
given by a single random sample drawn from the distribution. 

A differential private mechanism needs to be useful at 
the same time. For example, a mechanism that responds 
identically for any input is O-differential private, but also 
useless. To this end, we are interested in mechanisms Q e 
that approximate a given query q : U —► y. We say 
that an e-differential private mechanism is optimal (in the 


mean-squared sense) if it minimizes the mean-squared error 
of the desired query q. Characterization of the optimal 
private mechanism is fundamental for efficient applications 
of differential privacy. 

In this work, we present optimal private mechanisms for 
identity queries under a general adjacency relation. Specif¬ 
ically, we focus on Euclidean spaces and assume each of 
the n users contributes his 771 -dimensional sensitive data. Let 
U = R lixm anc j y _ jgmxm anc j consider the adjacency 
relation A defined as: 

(u,u') £ „4 <t=> s.t. ||m — v! i H 2 < a and uj = ^ i. 

(2) 

Adjacency relation |2} respects privacy of every individual’s 
sensitive data up, even if an adversary is aware of every other 
user’s data Uj,j 7 / i, the adversary cannot confidently extract 
the value 14 . 

III. Differential Privacy as Lipschitz Constraint 

In this section, we reformulate differential privacy for 
metric spaces as a Lipschitz constraint. This reformulation, 
which we call Lipschitz privacy , is closely related to the 
original notion of differential privacy introduced in [22], In 
particular, the differential privacy constraint is viewed as a 
sensitivity constraint. The sensitive data is assumed to be 
an element of a complete vector space U equipped with a 
norm || • ||, and the set of possible responses is denoted by 
y. Formally, we provide the definition of Lipschitz privacy: 

Definition 2 (Lipschitz privacy): Let U be a metric space 
and y be a set of responses. A mechanism Q : U -A A ( 3 /) is 
called e-Lipshcitz differentially private if the log-probability 
function is e-Lipschitz: 

| lnP(Qu e S) - InP (Qu' £ S) | < e||u - it'll, 

Mu, v! £U and S C y. ^ 

In practical applications, the space of private data U = 
R" is Euclidean equipped with the f p -norm. Assuming 
the mechanism Q possesses a probability density function 
g(u,y ) = P (Qu = y), where g(u,y) is almost everywhere 
differentiable in u, the Lipschitz condition ([3| translates to 
a point-wise bound on the derivative across the private input 
u as follows: 

g{-,y) is continuous for all y £ y and, 

||V< 7 (u,y)||* < eg, for a.e. u£U and all y £y, 
where || • ||* is the dual norm of || • ||. 

A. A Metric as Adjacency Relation 

The adjacency relation A in differential privacy is re¬ 
placed by the metric || • || of the space U of private data. 
The composite adjacency relation 0 can be captured using 
l\ and A-norms. Specifically, assume that the private data 
u = [tii,..., u n ] is an aggregation of n individuals’ high¬ 
dimensional data Ui £ R m . Then, adjacency relation ([2]i can 
be relaxed to: 

n 

{u,u') £ A ||uj - m-|| 2 < a- (4) 

i =1 



According to the Lipschitz-privacy framework and assuming 
existence and differentiability of the density of the mecha¬ 
nism, adjacency relation ([4]) translates into a bound on the 
derivative of the mechanism: 

||V Ui lng(u,y)\\ 2 < e, Vi £ (5) 

Adjacency relation 0 can be viewed as an f? 2 -sensitivity 
constraint that ensures privacy of high-dimensional data. This 
constraint is encapsulated in an l \-sensitivity constraint that 
respects individuals’ participation in the scheme. Addition¬ 
ally, this expression ensures that privacy of individuals’ sen¬ 
sitive data remains invariant under rotation transformations 
on the high-dimensional data w,. This invariance is important 
in many theoretical and practical case such as privacy of 
the state of dynamical systems and privacy of GPS traces, 
respectively. 


IV. Optimal Private Mechanisms 

In this section, the optimality of the Laplace mechanism 
is proven. Specifically, we prove that the Laplace mechanism 
minimizes the mean-squared error among all private mecha¬ 
nisms that use additive and input-independent noise. Initially, 
the result is derived for the case of a single-dimensional 
identity query. Next, the result is extended to the case of 
isotropic multi-dimensional queries under both t\ and £2 
norms. The fi-norm respects individuals’ participation in the 
aggregation scheme and is related to event counting queries 
[24], Moreover, the f 2 -norm is invariant under rotations and 
is more suitable for high-dimensional private data such as 
GPS signals and power consumption traces. Finally, the 
optimal mechanism for the case of multiple individuals 
contributing their high-dimensional sensitive data is derived 
from the results for £\ and f 2 norms. 


B. Connections between Lipschitz and Differential Privacy 


The notion of Lipschitz privacy is closely related to that 
of differential privacy. Particularly, an e-Lipschitz private 
mechanism is also differential private. 

Proposition 3: For any a > 0. Then, an e-Lipschitz 
private mechanism Q is ae-differentially private: 

P (Qu € S) < e e P(Qu' € S),Vu,u' : ||u — t/|| < a. 

Many popular differentially private mechanisms, such 
as the Laplace and the exponential mechanism, are also 
Lipschitz-differentially private. One exception that fails to 
satisfy Lipschitz-privacy constraints is the staircase mecha¬ 
nism [20], since the underlying noise distribution is discon¬ 
tinuous. Specifically, the log-probability function lnP(Qu = 
y) is discontinuous and, hence, is not Lipschitz. 

Proposition 4: Let s : U x y —>• R be L-Lipschitz in U. 
Then, the mechanism Q with density 

P (Qu = y\u) ex e es( - u ’ v) 


is eL -Lipschitz differentially private. 

In the special case where U = y = R" and s(u,y) = 
— ||u — y\\ p , we recover the Laplace mechanism. Furthermore, 
Lipschitz privacy inherits the property of resiliency to post¬ 
processing. Identically to differential privacy, any further, 
possibly randomized, post-processing of the output carries 
the same privacy guarantees. 

Proposition 5 (Post-processing): Consider an e- 
Lipschitz differentially private mechanism Q : U —> A (y) 
and a post-processing of the output f : y —y Z. Then, the 
mechanism / o Q is e-Lipschitz differentially private. 

Propositions 3][5 establish that Lipschitz-differential pri¬ 
vacy is a stricter version of differential privacy. Lipschitz 
privacy has some benefits over the original framework. 
Firstly, the privacy constraint is simplified; the adjacency 
relation is now captured by the metric of the space of private 
data. Furthermore, Lipschitz-differential privacy enables the 
use of calculus tools in designing and proving properties 
of mechanisms. Additionally, it provides a unified privacy 
framework that can support richer privacy-aware applica¬ 
tions. Privacy is now viewed as a sensitivity constraint on 
the mapping between private inputs and published outputs. 


A. Single-Dimensional Identity Query 

The exponential mechanism introduced in [17] is a 
general way of building privacy-preserving mechanisms. Be¬ 
sides the exponential mechanism, specific mechanisms that 
approximate linear, high-dimensional queries were explored 
in [24]. However, no optimality guarantees were provided. 
Under the original framework of differential privacy the stair¬ 
case mechanism [20] is optimal for one-dimensional identity 
queries in the sense of mean-squared error. Asymptotic 
bounds on the sub-optimality of mechanisms approximating 
linear queries were introduced [19]. In this approach, we 
are interested in exact optimality results. Specifically, we 
provide a proof of the optimality of the Laplace mechanism 
for the case of single-dimensional identity queries. In [21], 
the Laplace mechanism is proven to be an entropy-minimizer. 
In this work, we provide a proof that the Laplace mechanism 
achieves the minimal mean-squared error. In the following 
subsections, this result is extended to high-dimensional cases. 

Initially, we focus on single-dimensional private data 
and Lipschitz-private mechanisms that add oblivious noise. 
In this setting, the mean-squared error is minimized when 
the noise is Laplace-distributed. The problem of design¬ 
ing the optimal private mechanism is initially posed as 
an infinite-dimensional linear program. Optimality of the 
Laplace distribution is proven by deriving the dual problem 
and constructing a dual feasible solution. In particular, the 
space of private data is the real line U = R equipped with 
the absolute value as a metric. We approximate the identity 
query q(u) = u with an e-Lipschitz private mechanism Q 
that adds input-independent noise with probability measure 
9- 

Qu = u + V, where V ~ g £ A (R), 
where A([F) denotes the set of probability measures over 
the set y. The following result establishes the optimality of 
Laplace distribution. 

Theorem 6: Consider the set of e-Lipschitz private mech¬ 
anisms Q : R —► A (R), Qu = u + V, that approximate the 
identity query q : R —>■ R, q(u) = u, where noise V is input- 
independent and has probability distribution g. The Laplace 



mechanism that adds noise with density l(v) = |e 
achieves the minimal mean-squared error: 

E (Qu-q(u)f= EH 2 > EF 2 = 4 . 

V~g - V~l e 2 

Proof: A simplified but intuitive sketch of the proof is 
presented here. A full proof is presented in the Appendix. 
By definition, the optimal mechanism is the solution of the 
following optimization problem: 

minimize E V 2 

SGA(R) v~g ^ 

s.t. Q is e-Lipschitz private. 

The optimization is assumed over the infinite-dimensional 
space of probability measures over the real line. For a sim¬ 
plified proof, we restrict our attention to probability measures 
that are continuous and almost everywhere differentiable. 
This assumption is removed in the technical proof. The 
privacy constraint is massaged: 

Q is e-Lipschitz private => 


In P (Qu = y) < e, \/u, y •£=> 
au 

-y~F(V = y — u) < eP(V = y — u), Vu, y <=> 
au 

\g'(v)\ < eg{v), Vv. 

Specifically, g should be continuous and g' should exist 
almost everywhere. Problem |6| can, then, be restated as a 
linear program: 

minimize 

S :AC(R->R + ) 

S.t. 

where AC denotes the set of absolutely continuous functions. 
Problem 0 is an infinite-dimensional linear program with 
uncountably many constraints. We assign the dual variables 
A G R and re, g : R —> R+ for the two constraints, 
respectively. The dual of Problem 0 is: 

maximize A 

AGR^eC 1 (M) 

s.t. r]'(v) + e|r/(v) | < v 2 — A, \/v G R, (8) 


v 2 g(v)dv 

K 

g{v)dv = 1 , 

it 

eg{v) < g'{v) < eg(v), Vv G R, 


( 7 ) 


lim r](v ) > 0 , lim y(v) < 0 . 

v—toc v — y —oo 

Once both primal Problem 0 and dual Problem 0 are 
stated, we construct primal and dual feasible solutions, 
summon weak duality, and establish optimality. The Laplace 
distribution g(v) = is a primal feasible solution for 

Problem 0 with cost Moreover, we construct a dual 
feasible solution for Problem ([ 8 | with cost arbitrarily close 
to A* = ^7. Specifically, for any A < A*, we are able to 
construct a dual feasible solution (A, rj) that satisfies the 
initial value problem: 

77 ( 0 ) = 0 and rj'(v) + e\g(v)\ = v 2 — A, Vv £ R\{0}.(9) 
Figure [I] plots the unique solution 77 : R —»• R of the initial 
value problem (|9]i for different values of A. For A < A*, the 
unique solution 77 of the initial value problem (J9]l is feasible 



Fig. 1 : The dual variable 77(71) is the solution to the intial value 
problem ?/(v) + e|77(77)| = v 2 — A, 77(0) = 0 for different values 
of A. A feasible solution needs to satisfy the boundary constraint 
lim^oo 77(77) > 0 . For A < A*, the solution 77 is feasible. 


since it satisfies the boundary constraints: 

lim 77(1?) > 0, lim 77(77) < 0 . 

v —^00 v —>—00 

On the contrary, the dual variable 77 is infeasible for A > A*. 
Weak duality establishes the optimality of the Laplace mech¬ 
anism. Surprisingly, the dual solution 77(77) = —^? 7 (e| 77 | + 2 ) 
for the optimal value A* is infeasible. The infinite dimension¬ 
ality of the problem leads to an open set of feasible solutions 
for problem 0 and generates this paradox. 

■ 

The staircase mechanism [ 20 ] can be viewed as an ap¬ 
proximation of the Laplace mechanism. Although it features 
better mean-squared error than the Laplace mechanism, the 
staircase mechanism is not e-Lipschitz private for any finite 
value of e. Thus, the staircase mechanism is not a feasible 
solution to Problem (| 5 |. 


B. High-Dimensional Identity Query under l\ -norm 

Differential privacy is mainly targeted for schemes where 
individuals contribute their personal data to a single database. 
In such schemes, the sensitive data u contains each individ¬ 
ual’s private data Ui at coordinate i. Here, we extend the pre¬ 
vious results to high-dimensional identity queries. Privacy- 
aware approximation of identity queries can be interpreted as 
synthetic databases which are post-processed to answer any 
subsequent query. More formally, let the space of sensitive 
data be the real space U = R n equipped with the ^i-norm. 
We focus on the case of identity queries q : R n —► R” with 
q(u) = u. A generalized version of Theorem [0 establishes 
optimality of the Laplace mechanism: 

Theorem 7: Consider the e-Lipschitz private (with re¬ 
spect to the £i-norm) mechanism Q : R” —► A (R ra ) of 
the form Qu = u + V, with V ~ g(V) £ A (R n ). Then, the 
Laplace mechanism that adds oblivious noise with density 
g = li(v) = (f) e~ e ^ v ^ 1 minimizes mean-squared error: 

Or, 

E ||H|| 2 > E ||V||l = - T . 
v~g V~lf' e 2 

Proof: Similarly to the proof of Theorem [0 the optimal 
mechanism is the solution of the following optimization 








problem: 


minimize 

9 :AC(R"->1 + ) 

s.t. 

The last constraint is equivalent to 

-eg(v) < < eg(v ), Vu e K”, V* e {1,... ,n}. 

We consider the dual variables A £ i and k, : , /x,; : K" —»• M + , 
set 77 ,; (u) = — Ki(v), and derive the dual problem: 

maximize A 

AeR,r/ i eC 1 (R"-)-K) 


/ g(v)v T vdv 

J R" 

/ = 1 , 

JR™ 

llVff^lU < eg(u), Vu £ 


( 10 ) 


i— 1 




z=l 


lim 77* (v) > 0, lim rji(v) < 0, Vz. 

Vi—^OO Vi—^ — OO 

( 11 ) 


The solution g(u) = (|)"e is feasible for the primal 

Problem © and features cost A feasible solution for 
the dual Problem © is defined as: 

Vi(v) = r)m{Vi), A = tiAid, 


where (Aid,?7id) is a feasible dual solution for the single¬ 
dimensional case given by the initial value problem ©■ 
Therefore, the dual Problem ( fTT) admits a feasible solution 
with cost arbitrarily close to A). Weak duality establishes 
the optimality of the Laplace mechanism. ■ 


C. High-Dimension Identity Query under l^-norm 

Differential privacy with respect to the t-\ -norm captures 
privacy against the participation of individual users. The 
1 2 -norm is a more suitable for users that contribute high¬ 
dimensional data such as GPS and power consumption traces. 
Once again, a version of the Laplace mechanism is proven to 
achieve minimum mean-squared-error among all e-Lipschitz 
private mechanisms that approximate the identity query by 
adding oblivious noise: 

Theorem 8: Consider the e-Lipschitz private (with re¬ 
spect to the £ 2 - norm) mechanism Q : R™ —> A (M”) of 

the form Qu = u + V, with V ~ g £ A (R n ). Then, 

the Laplace mechanism that adds noise V with density 
g = l^iy) oc e~ e " v '' 2 minimizes the mean-squared error: 

E |[y|| 2 > E \\v\\l = n{n ^ l) . 

v~g t z 

Proof: Once again, the optimal private mechanism is 
posed as an optimization problem: 

minimize / q(v) v T v d n v 

g,AC( !"—>«+) J R n 

s.t. / g{v)d n v = 1, ( 12 ) 

JR" 

Vg(u) • a < eg(v), for a.e. v £ K", 

Va £ K n , ||o || 2 = 1 , 

where the last constraint is equivalent to the privacy con¬ 
straint || V. 9 (v )||2 < eg(v). Consider the dual variables A £ K 


and k :M. n x S n_1 —> M + , where §™ _1 = {a £ K” : ||o || 2 = 
1}. Moreover, set 77 ( 7 ;) = k ( v ) — / j ,( v ), and formulate the dual 
problem of Problem ( | 1 2| >: 

maximize A 

A eR, fceR 71 x S" - 1 ->R + 


s.t. V 


i(v, a)dt 


f V 

+ e / k(v, a)da < v T v — A, 
Js n 

lim / a ■ v k(v, d)da > 0. 

^ II 2 VOO J S n 


A feasible solution for the primal problem © is: 


g 0 ) = 


7r5r(n + 1 ) 


(14) 


^ II 2 
v 


with mean-squared error A* = " ' ] ’ . On the other hand, 

there exists a dual feasible solution for Problem © with 
cost arbitrarily close to A*. Consider a dual feasible solution 
of the form: 

n(v,d) = [rj{\\v\\ 2 )] + S ^ V 

+ Ml*)]’«(«- p; 

where S is Dirac’s delta function on the unit n-sphere S ra_1 , 
77 : K+ -> K is a suitable function, and [■]+ and [■]“ are 
the positive and negative parts of a function, respectively. 
Then, we can reduce the feasible region of Problem ( fT3j ) 
and rewrite it as 


maximize 

A<ER,T7:R-|_—»-R 


A 


n — 1 


s.t. ?/(r) -|- 77 ( 7 -) + e\g(r)\ < r 2 — A(15) 

r 

lim gir) > 0 . 

r—f 00 

Similarly to the proof of Theorem]?] a feasible solution (A, 77 ) 
of Problem ( fl5] > of the following form is constructed: 

U 

rf(r) H- 7 7 ( 7 -) + e|r;(r)| = r 2 — A and 77(0) = 0 ( 16 ) 

r 

Figure [2] shows the solution of the initial value problem ( fl 6 | ) 
for different values of A. For A < A*, the solution is feasible 
and, thus, the optimality of the density (14 1 for the initial 
value problem ( p~ 2 ] > is established. 

Again, for A = A*, the dual solution g(r) = — r '( re + 2 n + 1 ) 
is infeasible as a result of the infinite-dimensional nature of 
problem © • ■ 

Sample from distribution ( [T4| can be efficiently gener¬ 
ated. The magnitude r = ||u ||2 of the noise is drawn from 
the Gamma distribution r • 


v = 


r(n) 

is uniformly sampled from the sphere § 


n— 1 


D. Multiple Users with High-Dimensional Private Data 

In this section, the case of multiple users contributing 
their high-dimensional sensitive data is explored. Specifi¬ 
cally, consider n individuals. Each individual contributes his 
m-dimensional sensitive data iq £ n £ {l,...,n}. 
Furthermore, we are interested in releasing a privacy-aware 
version of the sensitive data under an adjacency relation that 











V. Discussion 
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Fig. 2: The dual variable g(v) is the solution to the intial value 
problem r/'(r) + ' 1 ffri{r)+e\g{r)\ = r 2 — g(0) = 0 for different 

values of A. A feasible solution needs to satisfy the boundary 
constraint lim„_>oo r li v ) — 0- For A < A*, the solution g is feasible. 


preserves both individual’s participation and each user’s data. 
These aspects of privacy are captured by adjacency relation 
(|4]> derived earlier. 

In particular, let the space of private data be U = 
R”' TO and consider private mechanisms Q that add input- 
independent noise V ~ g to the private data u. Similarly 
to the previous case, a version of the Laplace mechanism 
provides the optimal mean-squared error. 

Theorem 9: Consider the e-Lipschitz private (with re¬ 
spect to the adjacency relation 0) mechanism Q : R n ' m —► 
A (R n ' m ) of the form Qu = u+V, with V ~ g £ A (R n ' m ). 
Then, the Laplace mechanism that adds oblivious noise with 
density g = l n ’ m (y ) oc e _e ^=i Ih’db minimizes the mean- 
squared-error: 

E||Vf> E ||V||| = nm (™ + b . 

V~g 11 e 2 

Proof: The primal optimization problems is as follows 

/ g{v)v T vdv 


minimize 

9:AC(l" m ->l + 


S.t. 


where V ig = 


/ g(v)dv = 1, 

' M n-m 

Viff(u)|| 2 < eg(v), Vi £ [n],Vu £ R", 

and \n] = 


dg 


_ dg 

9v(i-l)-m + l ■ ' ' dvi. m 

{1,..., n}. The dual problem is formulated: 


maximize 


S.t. 


A 


i=1 


\ Viiri) 


n — 1 


Vi(n) +e\Vi(ri)\ 


< y r1 — A, and lim r\i (r 7 ;) > 0, Vi 

< ^ Va —>-00 


i=l 


A pair of feasible primal and dual solutions is constructed: 


9 = 


l L(^ + l) 




TO7T ™r(m) 

Vi{n) = m 2 ( r i)i and A = n\e 2 , 

where (A e 2 ,r]e 2 ) is the dual solution of Theorem [8] Weak 
duality establishes the optimality of the solution. ■ 


In this work, we explored Lipschitz privacy, which is 
a version of differential privacy that is adapted for metric 
spaces. Moreover, we proved that, for a given privacy level, 
the Laplace mechanism minimizes the mean-squared error 
among all single-dimensional mechanisms that add input- 
independent noise. The design of the optimal private mech¬ 
anism is initially formulated as a linear program. Then, 
the optimality of the Laplace mechanism is established by 
constructing a pair of primal and dual feasible solutions 
with zero duality gap. Next, the result is extended to high¬ 
dimensional real spaces equipped with the (-\ -norm. The case 
of l \ -norm corresponds to the case of providing privacy 
guarantees with respect to participation of any individual. 
Furthermore, the optimality of a variation of the Laplace 
mechanism is established for real spaces equipped with the 
^ 2 -norm. In this case, the privacy guarantees are invariant 
under rotations and, thus, this choice of norm captures 
the case where every individual provides high-dimensional 
sensitive data. A combination of the two results provides 
the optimal privacy-aware approximation of the aggregation 
of high-dimensional sensitive data of multiple individuals. 
Future directions include optimality guarantees for more 
general classes of queries beyond identity queries. Moreover, 
it is useful to study optimality results for other composite 
adjacency relations such as that proposed in [25], 
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Appendix 

Theorem [6] establishes the optimality of the Laplace 
mechanism for a single-dimensional identity query. A more 
technical proof is presented here. First, we prove that, for 
Lipschitz differential privacy guarantees to hold, the additive 
noise should possess density. 

Lemma 10: Consider the e-Lipschitz private mechanism 
Q that uses oblivious, additive noise V. Specifically, let 
Qu = u + V, where V has probability measure g G A (V). 
Then V possesses density. 

Proof: We prove that the cumulative density function 
G of V 

G(x ) = P(V < x) 

is absolutely continuous. For any measurable SCK and any 
U[. U ‘2 G R, Lipschitz privacy dictates that: 

|lnP(Qui G S') — lnP(Qii 2 G S)| < e\u\ — M 2 1 

Let S = (— 00 ,0], u\ = —x, and U 2 = —y, with x < y. 
Then: 

|lnP(V < x) — lnP(V < y)\ < e\x — y\ => 

|P(V < x) — P (V < y)\ < P(V < a;)e]ar — y \ => 
|G(a:) -G(y)\ < e\x - y\ 


Therefore, G is absolutely continuous and, hence, V pos¬ 
sesses density. Abusing notation, we denote the density of 
the noise V with g. ■ 

We now provide a technical proof of Theorem [6] 
Proof: Consider the e-Lipschitz differential private mech¬ 
anisms that use additive, oblivious noise V with probability 
measure g: 

Q : R —» A(R), Qu = u + V, where V ~ g. 


Solving for the optimal, in the mean-squared error sense, 
probability measure is posed as a linear, but infinite- 
dimensional program: 

minimize E V 2 

g GA(R) V~g (J7) 

s.t. g is e-Lipschitz diff. private 
Lemma [TO] establishes that V possesses density which is 
abusively denoted by g(v). Therefore, Problem ( fTTj ) is equiv¬ 
alently written as: 

minimize / q(v)v 2 dv 

g-CH R^R) Jr 

s.t. / g(v)dv = 1, and g(v) > 0, Vu, 

Jr , , , ( 18 ) 

' ~ <5—m S 

limsup»L±AliW < cg[v)] v„. 

< 5->0 0 

Problem ( p~8| > is an infinite-dimensional linear program with 
infinite many constraints, thus, it is unclear though whether 
the minimum is achievable. The Laplace distribution l e (v) = 
is a feasible solution with mean error f. We now 
discritize, dualize and take limits in order to compute the 
dual problem. As a result, we prove that the dual variable 
is differentiable and we retrieve the formulation of the dual 
problem. Consider N discrete points: 


Vi = —M + i-v, i G {1,...,N} 

where v = is the discritization step and M is the 

truncation limit. For g, = g{vf), the original optimization 
is problem is now approximated by its discritized version: 

N 

minimize ) 1 

{s.}"ieR N 




N 


s.t. ffgiV = 1, and g t > 0, Vi, 


i=l 

9i + 9i +1 ^ 9i +1 - 9i ^ 9i + 9i +1 w . 
— e •--- < - < e • ---, vi. 


Let A G R, and k,, g,i G R+ with i G {1,..., N — 1} be 
the dual variables for the first and the second constraint, 
respectively. The Lagrangian of the optimization problem is 







computed and minimized over {g t }lLi £ 


N 


N 


£(g, A, k, n) = ^2 9i v l v + A - A E 


9iV 


i =1 


N—l r 


E 


9i + *7i+l 

“€«»---«•- 


2=1 
AT—1 r 


E 

i =1 


5 i+l — 9 i 9 i + 5 i+l 

Hi - e Mi-7,- 


Thus, the dual problem is the following: 

maximize A 

A{«»}>{w} 

Ki-l + Ki Mi-1 + Mi K i ~ K i —1 
s.t. e--- 1 - e- 


+ 


2 2 

Mi — Mi —1 , 2 

-< V 

U 


< v 2 u — Xu, Mi G {2,..., N — 1}, 


2 m + m mi - 

v^u — Xu — e -> 0, 

1 2 u 

2 X KJV-1 + Mjv-i 

v N v -Xu- e--- 


+ MAT-1 - "At-1 > 0 
u 

m > 0 and fii > 0, V* £ {1,..., N} 


Complementary slackness of the primal problem suggests 
that, for each i, either k, = 0 or //, = 0. Therefore, we seek 
dual feasible solutions such that r/ l = /i, — Ki and \rji\ = 

Hi + Ki. 


maximize 

K{vi} 

s.t. 


A 

Im*-iI + h\ . Vi - Vi-i ^ 2 x 

e - 2 - + —^<v i »-Xv : 


Vi G {2,..., JV — 1}, 


I Mi 


Mi 


vfu — Xu — e 1 —-> 0, 


2 x Imjv—11 . Mat-1 

v N u — Xu — e —--1-> 0 

We first set N = + 1 and let M —> oo and, then, let 

v —> 0. The discritized dual problem convergences to the 
continuous one: 

maximize A 

AeR.^CHR-vR) 


s.t. v '( v ) + e \vi v )\ < v 2 — A, \/v € K, 


lim r)(v) > 0 , lim 77 ( 1 ;) < 0 

2?—^00 21— y —00 

The last step of the proof includes building a feasible dual 
solution for A = — A', for small, positive values of 6. 
Specifically, we fix A = ^4- and solve the initial value 
problem: 

r\(y) + e| 7 j(t;)| = v 2 — A, and 77 ( 0 ) = 0 (19) 


Existence and uniqueness of solutions for the initial value 
problem ( p~9| ) implies that the unique solution only needs to 
be checked that it satisfy the boundary constraints. Some 
technical analysis proves that, for small and positive values 
of 8, the solution 77 to the initial value problem (p~9} indeed 





Fig. 3 : The dual solution 77 for small values of 5 . The function 
77 changes curvature at v\, becomes increasing at v 2, and is zero 
at 7)3. For small values of 5 , once 77 becomes positive, it remains 
increasing and, thus, positive. 
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TABLE I: Elementary analysis on the behaviour of function 77(71) 
for small and positive values of 8 . 


satisfies the constraints: 

lim 77(17) > 0 and lim 77(7;) < 0 

v —^00 v — y —00 

Due to symmetry, we focus only on the case of v > 0 . Table 
[I] summarizes the signs of 77 and its derivatives. Specifically, 
the solution 77 is negative until 7)3. While 77 remains negative, 
it satisfies the initial value problem: 

v'{v) — eq{v) = v 2 — X and 77(0) = 0 
The single root of the second derivative is analytically 
computed: 

„ In 2 — In 8 

vi = - 

e 

At 7)3, the dual function 77 becomes positive and satisfies the 
initial value problem ( |20| ): 

77'(77) + eq{v) = v 2 — X and 77(7)3) = 0 ( 20 ) 

The value 7)3 can become arbitrarily large. Indeed, it holds 
that 7)3 > 7)1 and, for small enough values of S, i>i can 
become as large as needed. Therefore, for small enough 
values of 5 , the derivative of Equation ( [ 20 ] ) remains positive: 

, (v) = 2(ve-l) + ^-'’HS-2 v 3 ? + vIS) 

e 2 e z 

for v > 7)3. 

The cost of the constmcted dual feasible solution is A = 
- and can be made as close to the cost of the Laplace 
distribution. Weak duality completes the proof. ■ 

Remark 2 : For A = 4, we consider the dual solution 
77(77) = —^-X7(e|x7| + 2) which satisfies the differential 
equation. However, it fails to satisfy the boundary conditions 
since it quadratically explodes. Instead, for A > - 4 , the 
dual feasible explodes exponentially. Despite the qualitative 
difference between the two cases, they are both infeasible. 




































